User Security Manager
Password encryption question
Gravatar is a globally recognized avatar based on your email address. Password encryption question
  Richard Kaye
  All
  Jan 23, 2020 @ 02:48pm

Hi Rick,

In my never ending quest to take advantage of as many of your tools as possible I'm now investigating how to implement usersecurity. Rod did take a pass at this but opted to customize things a bit. At the moment, we're using the non-UI methods and I have an existing variant of the usersecurity table that our app is using. It is not encrypting the passwords. The first question I have right now is can I take the data from that table and get the existing passwords encrypted? Or do I have to manually recreate each user account? Hopefully that's not too unclear a question...

TIA

Gravatar is a globally recognized avatar based on your email address. re: Password encryption question
  Rick Strahl
  Richard Kaye
  Jan 23, 2020 @ 03:21pm

The wwUserSecurity class supports encryption but it has to be enabled using the .cPasswordEncryptionKey property. Any password look up with a plain text password is first hashed and then compared with the hashed values in the database to find the user.

loSecurity = CREATEOBJECT("wwUserSecurity")
loSecurity.cPasswordEncryptionKey = Process.oConfig.cEncryptionKey && any string

With that set any time a user is saved the password is encrypted to a SHA256 hash. Note - the value is a hash so one way - you can't find the password again.

The Save() method is smart enough to know whether the password is already encrypted and only encrypts when it's not. THere's a postfix on a hashed password that identifies the value as encrypted.

For existing users you can use the GetPasswordHash() method to encrypt the passwords in the table. It'll encrypt any passwords that are not already encrypted using the encryption key.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Password encryption question
  Richard Kaye
  Rick Strahl
  Jan 24, 2020 @ 08:52am

Thanks, Rick. Since it encrypts existing pws the first time it encounters an unecrpyted one that works for me. And I saw this in action. I do have to figure out some bits that are a result of using our own UI instead of the ones in the class.

I also want to subclass this so it can hit a SQL DB instead of a VFP table. I assume a good starting point is to add the open method to my app subclass PRG and override the base behavior.

Gravatar is a globally recognized avatar based on your email address. re: Password encryption question
  Rick Strahl
  Richard Kaye
  Jan 24, 2020 @ 11:44am

Yes you can subclass and override all methods that do the data access (which shouldn't be many).

I think if you have existing users you likely will want to encrypt everything with a SCAN pass, just to have everything encrypted and not some stragglers in your DB that may never get accessed and sit there unencrypted forever.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Password encryption question
  Richard Kaye
  Rick Strahl
  Jan 24, 2020 @ 12:36pm

I'm up to 8 methods at the moment that potentially need to be subclassed. I've also got to come up with some (hopefully) elegant mechanism to tell WWC that I'm using a SQL DB for the various application tables that currently live in DBFs, including the user security table.

FUNCTION Open(lcFileName, llReOpen, llNonSilent) FUNCTION DeleteUser(lcPk) FUNCTION GetUser(lcUsername, lcPassword) FUNCTION GetUserByUsername(lcUsername) FUNCTION GetUserByValidationKey(lcValidationKey) FUNCTION SaveUser() FUNCTION NewUser() FUNCTION GetUsers()

There aren't that many existing user accounts at the moment but I'll look more closely at your suggestion on pre-encrypting. At the moment I've got a lot more stuff to do to handle the UI elements that we customized.

© 1996-2020